Cyber attacks

The number of cyber attacks in Russia and in the world

Main article: The number of cyber attacks in Russia and in the world

Cyber warfare attacks between countries

Some of the reports of cyber attacks are part of countries' propaganda within cyber wars and have no evidence behind them.

• Cyber wars
• Cyber ​ ​ war of Russia and the United States
• Cyber ​ ​ war of Russia and Great Britain
• Cyber ​ ​ war of Russia and Ukraine
• Cyber ​ ​ attacks in the conflict between Israel and Palestine

Cyber attack models

• Cyber attack models

• Sound attacks

Attack targets

• APT - Targeted or Targeted Attacks
• Attacks on DNS servers
• DoS attacks on content delivery networks, CDN Content Delivery Network

Cyber attacks on cars

Main article: Cyberattacks on cars

Attack tools

• Phishing
• Trojan
• DDoS-attack
• Botnet
• Backdoor
• Worms
• Classic file viruses
• Ransomware ransomware viruses (ransomware)
• Malware (malware)
• Rootkit
• Frod
• Flood
• Mobile Network Security Threats
• Social engineering

Cyber attacks in key industries

• Security of critical information infrastructure of the Russian Federation
• Information security in banks
• Information security in retail
• Information Security in E-Commerce
• Information security in logistics and transport
• Information Security in Medicine
• Information Security in Courts

Protecting the company from cyber attacks

Main article: Information security in the company

Chronicle of events

2024

Group known for cyber attacks on Latin America reaches Russia

Specialists from the Positive Technologies Security Center (PT Expert Security Center, PT ESC) have discovered a series of attacks around the world. A special "handwriting" of attackers allows experts to argue that most likely these attacks are associated with a group of TA558. The hacker group, seen since 2018 in Latin America, is expanding its geography: companies from Turkey, Romania and Russia are among the top 10 victims. Positive Technologies reported this on April 15, 2024.

In the attacks we investigated, the group actively used the steganography technique: payload files were transmitted inside the pictures. In addition to steganography, the group used text services in the same way. Interestingly, both methods were simultaneously used in the chains for better protection against detection, "said Alexander Badaev, a specialist in the information security threat research department of the Positive Technologies security expert center. - Most of the names of the malicious files contained the word "love," so we called this operation SteganoAmor. All this helped us find connections between different elements of the attack and establish that they belong to the same group.

According to to data the report, the group uses legitimate services to store malicious lines ON and pictures with malicious code. The attacks hackers used well-known software, including Agent Tesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogger, XWorm.

Having studied all the details and existing research, PT ESC specialists linked these attacks to the TA558 group, known for its interest in companies from Latin America (mainly tourism and hospitality). The analysis found many samples aimed at various sectors and countries. The experts got several hundred phishing emails sent to different companies. More than 50 attacks were intended for Russian, Romanian and Turkish companies.

In total, during the study, Positive Technologies specialists identified more than 320 attacks aimed at companies from 31 countries, including from the USA, Germany, India. Among the most affected industries are industry (21%), services (16%), public sector (16%), electricity (8%) and construction (8%).

According to Positive Technologies, such attacks can be detected using specialized security tools, and to analyze attacks and prevent them, it is necessary to involve professionals in the investigation of cyber incidents.

Cyber ​ ​ attacks on medium and small businesses will increase significantly

The Center for Countering Cyber ​ ​ Threats Innostage CyberART conducted a study the Russian of the cyber threats that companies faced in 2023. Analysts of the Center collected statistics on To the DDoS-attacks and throughout personal data leaks , Russia and also analyzed a sample of Russian companies with open source cyber intelligence tools (to data OSINT). InnoSTage announced this on January 22, 2024.

Based on the work done, analysts identified key trends in the field of cybersecurity that are relevant in early 2024.

Trend 1. Maintaining the focus of hackers on medium and small businesses. In particular, in 2023, 43% of leaks occurred in medium-sized businesses, 38% - in small, 19% - in large.

Trend 2. The number attacks of both domestic software developers their partners in 2023 increased by one and a half times., Supply chains ON services, services by contractors become a point of penetration IT infrastructure into and cause incidents even INFORMATION SECURITY among large and well-protected companies. Having implemented the incident at the IT contractor, the attackers will make attempts to reach his customers.

Trend 3. Telegram is becoming a key platform for publishing fragments of stolen data and messages about implemented incidents, as well as the main means of communication for hackers.

Trend 4. Guided by political motives and wanting to attract more attention, hackers publish reports of leaks in open sources before public holidays and important historical dates. Hacks themselves, as a rule, are carried out one to two weeks before the moment of public notification about them.

Trend 5. Reduce the occurrence of full leak files in public sources. The stolen information is published in parts so that it is difficult to assess the damage and compromised resources.

Analysts at the OSINT group reviewed more than 2,000 incidents and classified them into several types. 45% of incidents are related to the leakage of confidential data, references to which were found in public forums and repositories. In addition, OSINT analysts found data from companies in DeepWeb, Internet which can only be accessed using special programs that preserve user anonymity and encrypt traffic. Such incidents accounted for about 2% of the sample.

Another 27% of incidents are related to phishing domains, the facts of identifying pages whose content or domain name mimics the domains of the attacked company.

24% - suspected incidents related to vulnerabilities and errors on the external network perimeter. The statistics, along with administrator errors, malicious activity and service compromise, include conditionally legitimate changes that are sent for confirmation by the customer.

Other types of identified incidents include the publication of information about trend threats and ZeroDay, substitution of site pages (deface), disclosure of infrastructure data. Since customers are more likely to connect comprehensively, and OSINT services are only a small part of the complex, notification of most vulnerabilities occurs much earlier. The OSINT group finds a wide variety of vulnerabilities, information about which can be obtained from open sources. For example, an outdated version of the software containing current vulnerabilities, excessive resource indexing, software configuration errors or standard passwords.

As part of the study, analysts also identified 4.1 thousand domains and 23.8 thousand unique IPs in Russia that were subjected to single or serial DDoS attacks. Among the published personal data, they found 45 million unique postal addresses - during the year the number of records in leaks increased by 14%.

{{quote "From year to year there is a dynamics of growth in the number and power of attacks on state and commercial companies, new techniques and tactics of attackers appear. The most vulnerable are still small and medium-sized businesses. The lack of cyber-resilient IT infrastructure and qualified information security specialists in the company's staff make it an easily accessible target. This also jeopardizes the clients and business partners of the attacked organization, ― said Maxim Akimov, head of the Cyber ​ ​ Threat Counteraction Center Innostage CyberART. }}

2023

Positive revealed the statistics of effective attacks. Data is very different from threat statistics

Positive Technologies in mid-November as part of the SOC Forum 2023 shared the results of an analysis of its investigations into the consequences of cyber attacks conducted from early 2021 to the third quarter of 2023. It turned out that the statistics on successful attacks are very different from the statistics on threats published earlier by the same Positive Technologies.

In particular, in this study, the main vectors of hacker penetration were web applications located on the perimeter - 63% of successful attacks. The most popular web attack applications were Microsoft Exchange (50% of all attacks, where vulnerable web applications were the source vector of penetration), the Bitrix 24 web server (13%) and Atlassian products (7%), for example Confluence and Jira. Moreover, according to Denis Goidenko, head of the threat response department at PT ESC, exploits of very old vulnerabilities are often used to penetrate, which for some reason the victims have not yet eliminated.

Actually, exploits of unknown vulnerabilities were used only in 2% of cases - this is the minimum of the given attack vectors. Phishing is in second place in terms of performance (17% of investigations), and credential leaks are in third place (10%).

In fact, setting up the process of updating applications, especially those located on the perimeter of the enterprise, will allow companies to greatly reduce the likelihood of penetrating their infrastructure. In addition, for state-owned companies and industrial enterprises, the web application itself can be transferred to the provider's cloud, and only communications between it and the corporate infrastructure can be controlled in as much detail as possible.

However, the statistics on threats to the same company are slightly different: 64% of attacks are aimed at using malware, usually through phishing, and another 50% are social engineering, which aims to both lure user credentials and launch malware. However, separately in the threats there is also a compromise of credentials - another 22% of attacks. In the chart on successful attacks, which is given above, phishing accounts for only 17% of successful incidents, and entry under stolen credentials - 10%. At the same time, threats to exploit vulnerabilities account for only 24% of attacks, but the effectiveness of this penetration method, as noted earlier, is much higher.

In total, over the past 2.5 years, Positive Technologies specialists have investigated more than a hundred cases of attacks on Russian enterprises, and in 2022 there were 50% more cases of seeking an investigation into cyber attacks than in 2021, and in the first three quarters of this year the growth was 76%. At the same time, the most in the sample were state-owned enterprises (25%) and industry (24%). Even financial institutions, which were previously the main target of hackers, now fall into hacking statistics half as much - their share in the sample is 12%. Least cases of successful attacks in telecom and scientific (educational) institutions - 3% each.

We can conclude that restoring order with the cybersecurity of state resources and industrial facilities, which is also aimed at law No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation," can greatly reduce the total number of successful attacks.

According to the data provided in the study, only 40% of incidents are related to known hacker cyber groups. The report cites names such as Lazarus, Cobalt, DarkRiver, and many others. However, the proportion of unknown groups is much larger. Denis Goidenko at a press conference where the report was presented, promised that the company would disclose the names and details of the actions of hackers in Russia.

Attributing attackers responsible for a cyber attack is a complex process that is not always successful, "he explained in his speech. - Over the past three years, our experts have identified incidents involving 15 APT groups known and identified based on the tools used, network infrastructure and penetration tactics used by them. As a rule, APT groups use unique malware, which is responsible for ensuring the access of attackers to the company's infrastructure after the initial compromise. Nevertheless, both APT groups and lower-skilled attackers use auxiliary software, which is overwhelmingly publicly available on the Internet

At the same time, in 21% of cases, ransomware attacks were recorded, and this is the most popular type of attacks recently. Moreover, hackers first withdraw all valuable data from the company, then encrypt its infrastructure and demand a ransom both for decryption of data and for non-publication of confidential information. According to Denis Goidenko, it was possible to decipher in isolated cases when the attackers made a mistake. In most cases, nothing can be done, and even investigating such incidents is quite difficult.

It is ransomware that is now becoming the main way to disable a company or organization, therefore, to protect against these tools, it is necessary to provide for possible protection tools. In most cases enciphering , specialized malware is used for, which is recognized by antivirus products, but in some cases both the BitLocker built-in Windows and the DiskCryptor open-source tool were used. Encryption protection requires tools that control the behavior of the corresponding programs and can block unauthorized encryption of disks and individual files.

Gas stations in Iran crashed after a large-scale cyber attack

At the end of October 2021, the Iranian authorities accused hackers of disrupting the operation of gas stations throughout the country. In what form the cyber attack was carried out is not specified, and no group has claimed responsibility. Read more here.

The number of cyberdiversions in Russia for the year increased by 140%

On October 20, 2023, the company's digital forensics laboratory F.A.S.S.T. announced that it had investigated high-tech crimes of 2023 based on conducted responses to incidents the Russian in companies. The number of programs extortioners attacks for 9 months of 2023 increased by 75% compared to the same period in 2022, and the average amount of initial ransom for decryption data exceeded 37 million. The number of rubles politically motivated cyberattacks, the purpose of which was the theft of confidential data or complete destruction - IT infrastructures growth by 2022 amounted to 140%.

The most popular type of cyber threats encountered during the response to incidents by forensic experts F.A.S.S.T. were attacks using ransomware. The victims of ransomware were most often Russian retailers, production, construction, travel and insurance companies. The average downtime of the attacked company was 14-18 days.

The most aggressive criminal groups in Russia in 2023 were Shadow and Twelve. Despite the fact that they appeared on the researchers' radars only at the beginning of 2023, the hackers managed to register a series of high-profile attacks. Shadow extortionists steal and encrypt data, demanding a large ransom from the victim - usually in the amount of 5-10% of the company's annual revenue - for decrypting and not publishing stolen confidential information.

Twelve, on the contrary, does not work for money: first, attackers steal the victim's confidential data, and at the final stage of the attack they destroy the IT infrastructure, erasing and encrypting data without the possibility of restoring it. It was this group in the spring of 2023 that claimed responsibility for the attack on the federal customs service of the Russian Federation, and in May - on the Russian manufacturer of hydraulic equipment, etc.

After the publication of a study by F.A.C.C.T. experts that Shadow and Twelve are one hack group with common tools, techniques, and in several attacks with a common network infrastructure, Shadow ransomware rebranded and began to use the name Comet (C0met) in their attacks.

In general, in Russia, the average amount of initial ransom demanded by ransomware from the victim in 2023 amounted to 37 million rubles. The record was set by ransomware from the Shadow group, who demanded 200 million rubles for decrypting the data. True, this is five times less than in 2022 the OldGremlin ransomware asked for one of the victims - then the ransom amount reached 1 billion rubles.

The most common ransomware that criminals use to attack Russian companies was LockBit, Conti and Babuk, the reason for the appearance of their source codes in the public space.

The most popular technique used to gain initial access to corporate networks in 2023 was the compromise of remote access services, especially RDP and VPN. Along with this, there is an increase in attacks with access to infrastructure as a result of compromising IT partners, IT partners, whose services were used by victim organizations. In 2022, the main attack vectors for most ransomware gangs were exploitation of vulnerabilities in publicly available applications and phishing.

More actively than with cyber crime, Russian companies were attacked by pro-state hackers and hacktivists - the increase in the number of attacks compared to 2022 was 140%. The goals of politically motivated attackers more often than others were enterprises associated with critical infrastructure, the public sector or the defense industry. Along with the giants, IT companies from the small and medium-sized business segment were at risk - Internet retailers, integrators, software developers, attacks on which allow attackers to gain access not only to client databases, but also authentication data to the infrastructure of customers, larger market players.

In the first half of 2023, the F.A.C.C.T. recorded 114 leaks from Russian commercial companies and state organizations, the number of leaked lines of user data increased more than 11 times compared to the previous period in 2022 - up to 62.1 million. Most of the stolen databases were publicly released by criminals for free, but the attackers did not publish some of the leaks in the public domain - they sold or used them in subsequent attacks.

For the fourth year in a row, ransomware has remained one of the main cyber threats that Russian companies are dealing with. Since 2022, cybercriminals have noticeably changed their motive - not so much to earn money as to cause the greatest damage to companies and their customers. In 2023, the growth of such attacks was especially noticeable. The attackers do not immediately publish the leaked data, but use it to carry out cascading attacks on large players in both the commercial and public sectors. noted Anton Velichko, head of the Digital Forensics Laboratory at F.A.C.C.T.

In order to effectively organizationally and technically resist the actions of attackers and minimize damage to the company, it is necessary either to quickly attract specialists on outsiders, or, which is easier to have a subscription to the incident response retailer in advance. This is a package of prepaid proactive and reactive services for prompt professional response to an attack, whenever it does not occur, in the format of 24/7/365. On the first signal, a forensic team travels to respond, or conducts it remotely to minimize infrastructure downtime and damage from a cyber attack without wasting time agreeing on contracts and other legal documents. For the first time, the incident response service in Russia was launched by the Digital Forensics Laboratory in 2015.

71% of Russian companies faced cyber attacks on their web resources in the first half of the year

According to to data a survey conducted by Croc Cloud Services and developer of a solution for protecting web applications, in SolidWall the first half of 2023, 71% the Russian of companies faced cyber attacks on their web resources. Most of them suffered from several types of combined attacks at the same time. At the same time, 37% of respondents admitted that they still do not protect their web resources. This was announced on September 15, 2023. CROC More. here

57% of attacks on organizations in the Asian region used malicious

On September 12, 2023, the company Positive Technologies presented a study of relevant cyber threats The Asian regions in 2022-2023. The study showed that 57% of attacks on organizations were used, the malicious software industrial sector turned out to be the most vulnerable attacking, and encoders cybercriminals cyber espionage became the main motive. At the same time, almost a third of successful attacks led to an unacceptable event - violations of the main activities of the organization. To strengthen protection, to the states and organizations in the Asian region need to build an effective, cyber security identify unacceptable events at the industry level and in general, countries as well as optimize the resource and legislative base in the field of cyber defense.

According to the analysis, 74% of attacks were targeted, that is, aimed at specific organizations, industries or people. Ransomware poses a serious threat to business in the region: their main victims were industrial enterprises, which accounted for 34% of successful attacks. According to Ekaterina Kilyusheva, a leading expert at Positive Technologies' information security department, this figure is generally higher than its global counterpart - in 2022, the industrial sector accounted for 15% of successful ransomware attacks. In addition, ransomware targets medical institutions (11%), financial institutions (11%) and IT companies (10%).

One of the main threats to organizations and Asian states is cyber espionage. Almost every third attack using malware recorded a spy attack. In ON half of the successful attacks on organizations (49%), confidential information was compromised. leak We have encountered confidential information and ordinary users, 76% of successful attacks led to such consequences. In total, 24% of successful attacks were directed at individuals, which exceeds the same indicator worldwide (in 2022, the share of attacks on users in the world was 17%). In HPE attacks on individuals, 56% were spyware.

In 27% of successful attacks on organizations, a violation of the main activity was recorded, including a temporary stop of business processes, lack of access to infrastructure or data.

According to a Positive Technologies study, government agencies (22% of all attacks on organizations), industrial companies (9%), IT companies (8%) and financial organizations (7%) were most often victims of attacks. According to experts, government agencies in the Asian region have become the main target of cybercriminals for several reasons. First, these systems store a large amount of valuable information, including personal data of citizens, statistics, information of national importance. Second, many countries in the region are digitally transforming and actively integrating technology into their government systems. This leads to the risk of new vulnerabilities in information systems.

According to experts, IT companies entered the top 3 most attacked industries for a number of reasons.

The countries of Southeast Asia, including India and China, have experienced rapid growth in the field of IT and have become centers of technological innovation, in this region there are leading IT companies in the world. These companies have a large amount of valuable data, among which intellectual property and user information are of particular interest. Hacking them can bring significant benefits to cybercriminals, whether it is selling information in the shadow market or using it for a competitive advantage. told Ekaterina Kilyusheva

Most attacks on organizations in the region (81%) are directed at computers, servers and network equipment. In 22% of cases, attackers successfully hacked web resources, most often using known vulnerabilities or compromising credentials.

In attacks on organizations, malicious software (HVE) is used in 57% of cases. Almost equally, social engineering methods are used (40% of successful attacks) and the exploitation of vulnerabilities in the resources of companies (39%). This indicates insufficient protection of publicly available resources of organizations. The resources of less secure countries can also be used as a springboard for working out exploits for vulnerabilities.

The most common type of malware in attacks on organizations has become tools for remote control (54% of successful attacks using HVE). Ransomware was in second place - they were used in half of the attacks using HPE. On the third - spyware (35%).

According to the study, the organizations of the Asian region are very popular in the shadow market of cyber services: among the countries of the Asian region, the most common are advertisements for the sale of access in the company, and China Thailand. India These are mainly government organizations, IT companies and service companies. The cost of accessing the information systems of companies depends on the size of the organization and the privileges of the account. Access to the network with the rights of an ordinary user or to a small company can cost 100-200, and dollars administrator privileges domain are estimated at $500 or more.

The Asian region is subject to the most powerful and frequent attacks, as evidenced by world statistics - it accounted for a third of all cyber attacks in 2022. Their reasons lie primarily in cyber espionage. At the same time, almost a third of companies faced an interruption in their activities. This figure speaks of the urgent need for organizations to analyze unacceptable events in order to build security with an eye to preventing them. Our expert statistics indicate that the capacity of the Asian cybersecurity market is very high. commented Artem Sychev, Advisor to the CEO of Positive Technologies

According to Sychev, states need to identify unacceptable events at the level of industries and the country as a whole and effectively allocate resources to ensure the protection of the most important systems. It is important to timely update legislative measures in the field of information security in order to comply with current cyber threats, and keep up with the development of technologies, improve mechanisms for interacting with national and industry centers for responding to cyber incidents, as well as cooperate with international partners in the fight against cyber threats. Among the recommendations for business, the expert called the need to analyze the main risks and draw up a list of unacceptable events that can cause significant damage to the activities of companies, monitor and respond to cyber threats, train employees and develop information security specialists.

Launched hacker neural network FraudGPT. She can hack sites and steal bank card details

On July 25, 2023, Netenrich, a company specializing in information security solutions, announced the emergence of a hacker chat bot FraudGPT based on artificial intelligence. Read more here.

Unexplored MgBot framework used by China in spying campaigns in Africa

Experts Symantec reported that China the associated group Daggerfly from November 2022 attacks telecommunication companies To Africa in order to collect intelligence. data This became known on April 21, 2023. More. here

World's first insurer issues cyber-linked bonds

On January 9, 2023, London-based insurer Beazley issued cyber crash bonds for the first time in the industry. It is noted that this is dictated by growing fears about cyber attacks and worsening financial consequences from hacker hacks. Read more here.

2022

More than half of the attacks were committed by qualified attackers

PT Expert Security Center experts spoke about the results of cyber incident investigations in 2022. More than half of the attacks were committed by qualified attackers, and 20% of cases were supply chain and trusted relationships, the investigation of which requires high qualifications of information security specialists. Positive Technologies announced this on January 16, 2023.

In 2022, employees of the Positive Technologies Security Center (PT Expert Security Center, PT ESC) conducted more than 50 investigations. The number of incidents peaked in April. PT ESC noted that the effectiveness of the attackers remained at the same level: the number of incidents increased in proportion to the number of attacks.

The level of training of attackers in terms of the complexity of the attacks we recorded is the most different: from schoolchildren to pro-government APT groups, "said Alexey Novikov, director of the Positive Technologies security expert center. - More than half of the attacks were carried out by qualified attackers, and 20% of the cases were supply chain and trusted relationship attacks, which are difficult to investigate. We are seeing an interesting trend: attackers do not invent new methods of attack, but nevertheless the number of incidents using already known methods continues to grow.

According to Positive Technologies, most of the attacks committed against Russian enterprises in 2022 were politically motivated attackers - hacktivists; there were both lone hackers and spontaneously organized groups, consisting mainly of disparate enthusiasts who need to have a laptop with an Internet connection to attack.

In 2022, professional APT groups continued their activity, in particular APT31, Cloud Atlas and Space Pirates. According to the results of investigations conducted by PT ESC employees, the sectoral interests of the groups that attacked Russian organizations were distributed between state-owned enterprises (30% of cases), IT companies (16%), the financial, energy and industrial sectors (10% of cases for each). In addition, the landscape of cyber groups has undergone changes.

Previously, new highly qualified criminal associations arose quite rarely, so we could quickly attribute this or that attack to the already familiar APT groups in terms of tools, tactics and techniques used in the attack, "said Alexey Novikov. - In 2022, a large number of previously unknown cyber groups were discovered. Curiously, some of them de-anonymized themselves on social networks, revealing their involvement in the attacks.

Most often, the targets of attacks by groups were theft and "leaking" data to the Internet for the sake of causing reputational damage to victims.

Among the vulnerabilities that were most actively used to penetrate the infrastructure of companies, PT ESC experts noted gaps in the servers Microsoft Exchange, Log4Shell, ProxyNotShell and ProxyShell. As for the new techniques of cybercriminals, opensors attacks attract attention.

According to experts from the Positive Technologies expert center malware , infostilers encoders and vipers were the most effective in attacks using. They allow attackers to quickly gain access to the victim's infrastructure without wasting time searching for vulnerabilities zero day, and steal data.

According to Alexei Novikov, in 2023 we should expect the development of hacktivism against Russian organizations, including from well-known cyber groups. In addition, the creation of new APT groups, the emergence of new zero-day vulnerabilities, as well as the activation of "sleeping" incidents are not excluded. Experts also suggested an increase in the number of attacks on authentication solution providers and the growth of the shadow market for cyber services in instant messengers.

The high level of cyber threats forces Russian companies to change the paradigm of building cybersecurity in favor of ensuring the digital sustainability of the enterprise. Positive Technologies noted that it must be provided pointwise, focusing on the company's most valuable assets, the negative impact on which can lead to unacceptable events for business.

How hackers attack companies using Zoom

On January 5, 2023, Cyble Research & Intelligence Labs (CRIL) spoke about a new cybercriminal scheme that cybercriminals use to attack various organizations. This time, scammers are hiding behind the Zoom video conferencing service. Read more here.

Hackers steal data of Indian students across the country over 18 years

On December 5, 2022, it became known that the cybercriminal group Team Mysterious Bangladesh announced the hacking of the computer system of the Central Council of Higher Education of India (CBHE). In the hands of attackers could be data on students for an 18-year period throughout the country. Read more here.

Hackers blocked the personal accounts of all users of Greek public services

Killnet blocked the websites of state bodies Greece "for assistance." Hackers NATO reported a cyber attack on Greek government resources on their Telegram channel on November 11, 2022. More. here

Canada's largest meat producer survives cyber attack that shut down company's IT systems

Canada's largest meat producer Maple Leaf Foods has survived a cyber attack that shut down corporate IT systems. The company itself announced this on November 6, 2022. Read more here.

India's largest energy company has been hit by cyber attacks. Part of IT systems stopped

On October 14, 2022, Tata Power is part of Tata Group, the largest integrated energy company in India, reported a cyber attack on its infrastructure. As a result of a hacker attack, some IT systems were suspended. Read more here.

More than 30% of the total number of cyber incidents fell on attacks through web applications

According to Informzaschita for 2022, more than 30% of the total number of cyber incidents were attacks through web applications. The company announced this on October 14, 2022. This is 16% more than in the same period in 2021. According to foreign experts for 2020, web applications were at the center of 39% of hacks. Hackers exploit vulnerabilities in the application's code to gain access to databases containing sensitive data. By committing theft, attackers use them as a ransom or resell them on the black market for further use in social engineering.

With the proliferation of web applications, the attack surface of organizations has expanded significantly. Apps are on personal and work devices, and very often stay open and run in the background, and security updates are not always performed regularly.

Often, web applications contain personal information of users, such as financial and medical data or other sensitive records that can be monetized for illegal gain. This means that hackers have the ability to access an open, vulnerable attack surface, and therefore valuable information.

cyber attacks None are immune, industry however some face more pressure than others. Experts of Informzaschita, analyzing 2021 and 2022, argue that cybercriminals finance, sphere health care state and management, as well as the sphere of professional services suffer the most from actions. Thus, the surge in applications for online and mobile banking during the time pandemics led to an increase in the demand of organizations for management huge amounts of data related to personal finances. Attackers saw new opportunities in this trend: attacks by web applications on the financial services sector increased by 38% between January and May 2021. Also, hackers began to attack the healthcare industry more often: basic attacks on web applications, various errors and system intrusions caused 76% in this data breaches area in 2021.

Attackers have many methods they can use to launch app-based attacks. For October 2022, some of the most common vectors can be identified.

For example, cross-site scripting (or XSS) is popular among hackers. This attack occurs when an attacker injects malicious code into a trusted website, sending it to an unsuspecting user. Assuming the sender's code is trustworthy, the recipient's browser executes it without verifying, thereby giving the hacker access to any records that are stored in the browser. Therefore, it is worth remembering that any data that was not created by PHP itself for the current request is unreliable. The browser trusts everything it receives from the server, and this is one of the main reasons for cross-site scripting.

Cross-site scripting in the presence of SQL-injection - this attack takes advantage of the fact that applications must request their own database content in order to execute a user request. However, instead of satisfying the usual content request, the attacker inserts his own SQL query into the web page, effectively replacing the harmless input request with a malicious one. Successful attacks can allow attackers to fake identities, change data, destroy data, or make it completely inaccessible.

Filling in credentials: One of the most common techniques for capturing user accounts. This attack involves automatically injecting leaked passwords and usernames using brute force into hundreds of different sites. The attack uses the human habit of reusing the same password for multiple accounts and applications.

DDoS: Distributed denial-of-service attacks work by clogging an organization's server with more requests than it can handle. Overloading the server, the attack can reduce web page loading times and completely disable entire websites. The purpose of hackers is to break communication lines and make application services inaccessible. Attackers can perform a DDoS attack by encoding a loop counter function or a special object allocation that introduces an extremely large amount of requests.

Despite many hacker schemes, organizations also have a set of tools that are used to protect against intrusions. For example, companies can expand the visibility of the attack surface with automated security tools that identify and fix vulnerabilities early in the software development lifecycle.

Experts also recommend disinfection and verification of user code. The fact is that a large number of attacks based on web applications are associated with the use of weak points in user input. Organizations can significantly reduce the risk of hacking by clearing their input. This can be done by removing unwanted characters from the input and checking to ensure that the input meets established alphanumeric security requirements.

Finally, organizations must have ethical (white) hackers in their arsenal. These experts are able to anticipate the actions of a hacker by subjecting web applications to a full set of all kinds of intrusion methods to identify existing vulnerabilities.

InterContinental hotel network IT systems fail after massive cyber attack

In early September 2022, the IT systems of the large hotel chain InterContinental Hotels Group, which manages 17 hotel brands around the world, were hacked, which led to a constant disruption of online booking systems and other services of the corporation. Read more here.

Fraudster stole the data of hundreds of Verizon employees

The fraudster stole the data of hundreds of Verizon employees. This became known on May 28, 2022. Read more here.

"Space pirates" attack the aerospace industry of Russia

A group of hackers with probable Asian origins attacks the Russian space industry using previously unknown malware. This became known on May 18, 2022.

The grouping was discovered by the Positive Technologies Security Expert Center (PT Expert Security Center, PT ESC). In Russia, attackers attacked at least five organizations, in Georgia - one, and the exact number of victims in Mongolia on May 18 is unknown. Among the targets of the attackers identified by Positive Technologies specialists are government agencies and enterprises from the aerospace and electricity industries.

According to the data obtained, the previously unknown APT group has been operating since at least 2017, its key interests are espionage and theft of confidential information. Positive Technologies experts gave the group the name Space Pirates in terms of the focus of the first attack they identified on the aerospace sector and the line of P1Rat that the attackers used in PDB 1-tracks.

For the first time, the expert center recorded traces of the group's activity at the end of 2019, when one Russian aerospace enterprise received phishing a letter with a previously unreported malicious one. Over the ON next two years, PT ESC specialists identified four more domestic companies (two of them with state participation) that were compromised using the same HPE and network infrastructure.

According to Positive Technologies experts, at least two Space Pirates attacks in Russia were successful. In the first case, attackers gained access to at least 20 servers on the corporate network, where they were present for about 10 months. During this time, they stole more than 1,500 internal documents, as well as the data of all employee accounts in one of the network domains. In the second, the attackers managed to gain a foothold in the company's network for more than a year, obtain information about the computers included in the network and install their HPE on at least 12 corporate nodes in three different regions.

Of particular interest is the Space Pirates toolkit, which consists of special loaders (in the cases studied, they contained decoys with Russian text) and previously undescribed backdoors 2, such as MyKLoadClient, BH_A006 and Dead RAT.

Malware of its own development is specific, so they can be used to calculate the involvement of Space Pirates in a particular cyber attack. For example, in the backdoor, which we called Deed RAT, a non-standard method of transferring control to the shellcode is implemented, - said Alexey Zakharov, senior specialist in the threat research department of information security Positive Technologies. - It is the shellcode that allows attackers to obtain administrator rights on an infected computer.

Space Pirates also has a well-known HPE in its arsenal: PlugX backdoors, PoisonIvy, ShadowPad, Zupdax and public shell 3 ReVBShell. Also, attackers use the 4 Royal Road RTF (or 8.t) builder and the modified PcShare backdoor, found mainly among hackers of Asian origin, and Chinese is actively used in resources, SFX archives and paths to PDB files. Malware is most often spread using targeted phishing, that is, the group always knows exactly who it is attacking.

After studying the activities of the APT group, the company's experts also found a large number of intersections with previously known activity, which researchers associate with the groups Winnti (APT41), Bronze Union (APT27), TA428, RedFoxtrot, Mustang Panda and Night Dragon. The likely reason, according to Positive Technologies experts, lies in the exchange of tools between groups. This is a common occurrence for APT groups in the Asian region.

In one of the investigations, we observed on infected computers the activity of not only the Space Pirates group, but also TA428, and on the network infrastructure in another attack, we traced the connection between Zupdax and the RemShell Trojan attributed to TA428. This allows us to argue that Space Pirates and TA428 can join forces and share tools, network resources and access to infected systems, "said Denis Kuvshinov, head of threat research at Positive Technologies Space[1].

Estonian state sites attacked

On April 25, 2022, it became known that Estonian state sites were attacked.

According to to data Computer the emergency response team of the state Estonian Information System Department (CERT-EE), the attacks began on Thursday, April 21. About 75 million requests were sent to each of the attacked sites. Although the power of attacks began to decline from April 22, in 23-24 sites were still subjected to u DDoS.

At the same time, we must be prepared for the attacks to continue for some time, although their power may decrease. We cannot rest on our laurels, but we need to think about how best to reduce the success of such attacks, "said Tõnu Tammer, head of CERT-EE.

Although the sites were still under attack as of April 25, malicious requests are intercepted before they reach the target and disable computer systems.

According to Tammer, if the attacks are successful, it is possible that the sites will be disabled.

In addition to sites, we carefully monitor the security of our national IT systems. So far, no anomalies have been recorded, - said the head of CERT-EE.

The Estonian State Information System (RIA) Department itself has also become a target for a cyber attack, but it has been able to repel^[2].

Bulgaria Post subjected to cyber attack

Unknown cybercriminals attacked Bulgaria Post. The press service of the national postal operator said that all necessary measures were taken immediately. This became known on April 19, 2022. Read more here.

Ukrtelecom was subjected to a large-scale cyber attack

Ukrainian Internet-provider was subjected to a large-scale cyber attack. This became known on March 29, 2022. here More.

Hackers attacked the information resources of the Miratorg meat holding

Hackers attacked the information resources of the meat holding Miratorg"," disrupting the activities of some of its enterprises. This became known on March 22, 2022. here More.

Brazilian hackers hacked Ubisoft

The Brazilian hackers hacked Ubisoft. This became known on March 12, 2022. here More.

Axis surveillance systems maker hit by cyber attack

Swedish maker of network cameras and surveillance systems Axis has been hit by a cyber attack. This became known on February 28, 2022. The company had to shut down all public services around the world in hopes of limiting the impact of the attack. Read more here.

Nvidia attacked by hackers

At the end of February 2022, the internal network Nvidia was hacked, and several key systems, such as email and developer tools, were down for several days. According to CRN, a South American group hackers called LAPSU $ hacked into the company's internal network and copied more than 1 TB of critical company data. More. here

Production shutdown at all Japanese Toyota Motor plants due to cyber attack

Toyota Motor Corp. suspends production at all of its Japanese plants from March 1, 2022, after supplier systems malfunctions, marking another manufacturing setback for the world's No. 1 automaker.

The Nikkei newspaper reported earlier that the affected manufacturer of the parts is most likely Kojima Press Industry Co., and that its operations were suspended due to a cyber attack.

2021

Top 5 trends among cyber threats named

Accenture On February 27, 2022, the company presented data the Cyber ​ ​ Threat Intelligence Report for the second half of 2021. More. here

Norway's largest newspapers do not come out due to hacker attack

On December 28, 2021, Amedia, the largest local news publisher in Norway, announced that several of its central computer systems had been shut down in a "major" cyber attack. Read more here.

In " Дневник.ру" denied information about hacking the platform

As representatives of Дневник.ру told TAdviser in November 2023, as a result of an internal check at the school in the village of Ustye, Khokholsky District, Voronezh Region, held at the end of December 2021, there were no facts of hacking the Дневник.ру platform or a hacker attack. Read more here.

Hackers hacked "Дневник.ру" and changed the grades of schoolchildren

Unknown persons hacked the Дневник.ру platform at a school in the village of Ustye, Khokholsky District, Voronezh Region, Vesti Voronezh reported with reference to the parent of one of the schoolchildren. This became known on December 27, 2021. Read more here.

1.6 million WordPress-based websites attacked

On December 10, 2021, the developers of the WordPress security plugin, Wordfence, announced a long-running attack targeting WordPress-based websites using certain add-on utilities. The developers said that in 36 hours 1.6 million WordPress websites were attacked from 16 thousand different IP addresses. Read more here.

Volvo Cars hack

On December 10, 2021, the Swedish manufacturer Volvo Cars announced that one of its file storage was subjected to a cyber attack. Hackers managed to steal research and development data, the company warned that hacking could affect the company's activities. Read more here.

Hacker attack on Brazilian car insurer Porto Seguro

In mid-October 2021, Porto Seguro, the largest player in the Brazilian auto insurance market, announced that the company was subjected to a cyber attack, which led to a malfunction of the IT system and customer service channels. Read more here.

Every fifth attack of cyber fraudsters falls on government agencies

Most of the cyber attacks in 2021 came from government agencies - almost 20% of crimes. In 10% of cases, industrial enterprises become victims of cyber fraudsters, 8% of attacks are directed at medical and educational institutions, as well as financial organizations, the VSK Insurance House reported on October 18, 2021, based on the results of a study.

In the vast majority of cases (60%), the purpose of criminals is to obtain data. Among the common causes of attacks on business, also obtaining financial benefits (21%) and hacktivism (16%) is a form of digital activism aimed not at obtaining personal benefits, but at expressing a particular social or political position.

Most often, cybercriminals use malware, social engineering methods and exploiting web vulnerabilities, as well as a way to track user activity. Cyber ​ ​ attacks in companies are usually computers, servers and network equipment, mobile devices, web resources, ATMs and POS materials, IoT.

As a result cybercrimes the Russian , companies suffer colossal losses, according to some estimates they reach several trillion. rubles The main damage is associated with the consequences of incidents - theft of funds from accounts, equipment failure, as well as interruptions in the economic activities of the organization. At the same time, companies can protect themselves from financial losses with. insurance Thus, an increase in the number of crimes in the field information security causes an increase in demand for, in cyberinsurance particular, among financial organizations.

"The trend towards digitalization of most industries has certainly become a kind of" trigger "for the activation of cyber fraudsters. Moreover, the scale of such crimes is increasing. Cyber ​ ​ insurance is a way to minimize the consequences of information security crimes. Under the insurance program, you can protect both the property itself, which is damaged - these are information, financial assets, etc., and civil liability for the consequences of a hacker attack to third parties or expenses associated with a break in business. We see that many Russian companies are showing interest in cyber insurance, "said Alexander Tarnovsky, General Director of VSK Insurance House.

Olympus shut down its IT systems after a massive cyber attack

In mid-October 2021 Olympus , it suspended the work of its IT systems due to another attack. hackers The company continues USA To Canada to investigate the incident that affected systems in and Latin America. More. here

Damage from cyber attack in the field of TIL can reach $50 million or more

Damage from a cyber attack can reach $50 million . The United States and more. This was announced on September 15, 2021 by BCG. Read more here.

Year-over-year increase in risk of cyber attacks on businesses worldwide by 24%

On August 06, 2021, the company Avast , based on data its own research, reported that the likelihood that the business would face cyber threats increased worldwide by 24% over the year, from 11.25% to 13.9%. This information is presented in the latest Avast Global PC Risk Report, which examines the threats to Avast PERSONAL COMPUTER blocked in March-April 2021. The results are compared to 2020 data for the same period. More. here

Hackers uploaded a viral program to the website of the electronic government of Kazakhstan, which users download

Hackers have uploaded an virus program to the Kazakhstani e-government website, which is downloaded by users. This became known in July 2021 from researchers from T&T Security and JSC National Infocommunication Holding Zerde. Read more here.

Hackers hacked the passport IT system of Belarus

At the end of July 2021, it became known about the hacking of the automated information system "Passport" in Belarus, which is a tool for automating the official activities of the passport and visa service units of the Municipal Department of Internal Affairs of the Minsk City Executive Committee, the Internal Affairs Directorate of the Regional Executive Committees, as well as the passport and visa service units subordinate to them territorial internal affairs bodies. Read more here.

Cyber ​ ​ attacks hit major energy company Luma Energy

In early June 2021, Puerto Rico's main electricity supplier, Luma Energy, was hit by a cyber attack. After the attack, a fire broke out at substations in San Juan, causing hundreds of thousands of local residents to lose power. Read more here.

Hacker attack on world's biggest meat producer JBS

In early June 2021, a cyber attack on the world's largest meat producer JBS SA caused the shutdown of all beef factories in, USA which provide almost a quarter of American supplies. All meat processing plants of the company and regional beef production enterprises were forced to close, and the work of the remaining meat processing enterprises of JBS was disrupted. Australia To Canada In and, slaughtering and meat processing were also suspended. More. here

Hackers for 2 years imperceptibly "sat" on the network of the Ministry of Internal Affairs of Belgium and read letters from employees

At the end of May 2021, Belgian law enforcement officers discovered a large-scale cyber attack, the purpose of which, presumably, was to obtain confidential data. Hackers for two years, they quietly "sat" online and could MINISTRY OF INTERNAL AFFAIRS Belgium view employees' emails. More. here

Cyber attack on Toyota Auto Body auto parts maker

In May 2021, the American auto parts manufacturer Toyota Auto Body, part of the Toyota Motor group, announced a cyber attack on the company. As a result of the hack, classified information was stolen. Read more here.

Hackers hacked into Washington police's IT systems and stole documents

At the end of April 2021 police department Washington , it reported that his computer network was hacked as a result of targeted. cyber attacks A group extortioners called Babuk is threatening to reveal sensitive police whistleblower details if it is not contacted within three days. The cyberattacks were involved in the investigation. FBI More. here

Hacking of the site of the Belarusian nuclear power plant

On April 25, 2021 power engineering specialists Belarus , the Ministry announced that the site had been hacked. As Belarusian nuclear power plant a result cyber attacks hackers , fake information was posted on the Internet resource of the enterprise. More. here

One of the SolarWinds servers was protected with a simple password

servers SolarWinds One was protected by a solarwinds123 installed password by an intern. This became known on March 1, 2021.

Some believe the Russians attack on SolarWinds is a story about or, the Chinese hackers but it's essentially a story about a huge security hole widening as details about the attack emerge. And now in this story discovered an extreme - an inexperienced trainee who used an unreliable password. More. here

SolarWinds cyber attack is the largest in history - Microsoft

In mid-February 2021 Microsoft , she called the cyber attack through ON SolarWinds the largest in history. According to Brad Smith, president of the software corporation, the hacking campaign, in which the American technology firm was used as a bridgehead for hacking into many governmental agencies, USA became "the largest and most difficult attack that the world has ever seen." More. here

2020

2020 High-Profile Cyber Incident Roundup

In February 2021 , an overview of high-profile 2020 cyber incidents was presented.

Hackers took 24 hours to hack Twitter

The financial New New York York Department of Financial Services has submitted a report on the results of an investigation into Twitter the hack that took place in July 2020. According to the report, it took cybercriminals 24 hours to carry out the hack. This became known on October 16, 2020. More. here

Losses from BEC attacks reach $26 billion a year

Cybercriminals carrying out BEC attacks conduct operations in at least 39 different countries and are responsible for annual losses of $26 billion. This became known on October 15, 2020.

Information security specialists from Agari's cyber intelligence department analyzed more than 9,000 cases of BEC attacks (business email compromise) around the world and reported that their number has increased sharply over the past year, and social engineering fraud has gone far beyond Nigeria.

Such attacks cost companies $26 billion annually. As the researchers found, the damage from BEC attacks for October 2020 accounts for 40% of losses from cybercrime worldwide. The bank transfer made as part of the BEC attack averages about $80,000.

The most important aspect of any BEC attack is the role of the "money mule." These people do some work for fraudsters, opening bank accounts and making money transfers. Experts have identified "money mules" in 39 countries, but most of them are located in the United States (80%) and are not far from the scammers themselves.

BEC attacks (business email compromise) are fraudulent transactions in which criminals try to deceive one or more employees of target organizations to transfer money to bank accounts controlled by cybercriminals. This type of attack is quite successful, since fraudsters choose people trusted by employees, for example, a reliable business partner or CEO of the company^[3].

Cyber ​ ​ campaign against Russian industrial enterprises revealed

On October 12, 2020, it became known that Kaspersky Lab"" discovered a long-running cyber campaign aimed at the Russian industrial enterprises. A characteristic feature of the attacks is the fact that the campaign operators, apparently, are also Russian-speaking. The attacks began at the latest in 2018.

The group behind this campaign uses a set of malicious modules called MontysThree. It is designed for targeted attacks on industrial enterprises and uses a number of techniques to avoid detection, including communication with the control and command server through public cloud services and steganography.

Attacks begin with targeted phishing emails; if a potential victim opens a letter and an attachment (in the form of a self-extracting archive), then the bootloader contained in it decrypts the main malicious module from the bitmap image with steganography on the victim's computer. A specially designed algorithm is used for this.

The names attached to the letters to the archives "may be related to employee contact lists, technical documentation or the results of medical tests, the Laboratory said in a statement.

The main malicious module uses several encryption algorithms to avoid detection, mainly RSA for communications with the control server and for decrypting configuration data. These XML-based data describe malware tasks: searching for documents with specified extensions, in specified directories and on removable media. This information made it possible to find out that MontysThree operators are interested in Microsoft Office and Adobe Acrobat documents, the company said in a press release.

Malicious modules can also take screenshots of the desktop, analyze network and local settings, etc.

All collected information is encrypted and uploaded to public cloud services (Google Drive, Microsoft One Drive or Dropbox). Other modules are pumped through them, if necessary.

Laboratory experts note that the level of technical solutions in the MontysThree set varies markedly: some are made at a very high professional level, some are in amateur: for example, storing all encryption keys in the same file, launching an invisible browser on a remote RDP host and some other features in the Laboratory were called a manifestation of immaturity and amateurism.

Developers use reliable cryptographic standards and customized steganography, and continue to develop their tools. No interference with the other target campaign code could be detected.

The Laboratory believes that the authors of the campaign speak Russian and use operating systems with a Cyrillic interface in development, as evidenced by artifacts (phrases in Russian) in an XML file. Some malicious samples contain information about accounts used in communications with public cloud services, and they look Chinese, but Laboratory believes that this is just a not very skillful attempt to disguise the true origin of the campaign.

We believe that MontysThree operators speak Russian themselves and their attacks are also aimed at Russian-language targets. Some file names in the RAR archives used to distribute malware are written in Russian and contain references to the Russian medical laboratory as bait for victims. The content of the XML file with settings contains the names of data fields and functions Windows in Russian, plus the paths to system directories are mentioned, which are present only in localized Russian-language versions of Windows. In addition, we observed grammatical errors in English-language malware logs, - indicate the experts of the Laboratory.

The difference in development quality may indicate that not all tools were developed by campaign operators on their own. The most professionally made tools could be purchased on the side, less professional ones - created independently. Professionals interested in running long-term campaigns are unlikely to use "immature" tools. Another factor also indicates that amateurs are behind the campaign: professional Russian cybercriminals rarely attack targets in Russia. However, "rarely" does not mean "never," - believes Alexey Vodyasov, technical director of SEQ (formerly SEC Consult Services).

Technical details about the campaign are available here.

Interpol's Russian bureau: hackers are outsourcing

On September 25, 2020, the Interpol National Central Bureau (NCB) of the Ministry of Internal Affairs of Russia announced the transition of cybercriminals to outsourcing, when hackers carry out cyberattacks as a commercial service. Read more here.

Accenture: Only 17% of companies are ready to effectively resist cyber attacks

On February 19, 2020, Accenture summed up the cybersecurity research. It was attended by 4644 heads of information security departments (information security) of companies with an income of more than $1 billion from 24 different industries in 16 countries. The third annual Cyber Resilience Report focuses on identifying key success factors for leading companies to protect businesses from cyber threats. Read more here.

Rostelecom-Solar: a surge in unusual cyber attacks on banks and power

Experts from the Rostelecom-Solar Cyber ​ ​ Incident Investigation Center JSOC CERT recorded a surge in a rather rare type of attacks on banks and the energy industry. The chain of malicious activity includes as many as four stages, which allows hackers to gain control in the organization's IT infrastructure, remaining invisible to security tools - antiviruses and even sandboxes. Rostelecom-Solar announced this on February 18, 2020. Read more here.

2019

Positive Technologies: 60% of cyberattacks were targeted

On March 18, 2020, Positive Technologies announced that its experts had analyzed the current cyber threats of 2019. The analysis showed that the share of targeted attacks significantly exceeded the share of mass attacks, and the most attacked industries were government agencies, industry, medicine, education and the financial industry.

According to the study, the number of unique cyber attacks increased by 19%, and the share of targeted attacks amounted to 60%, which is 5 pp more than in 2018. At the same time, the company's experts recorded a quarterly increase in the number of attacks, and if in the first quarter less than half of the attacks (47%) were targeted, then at the end of the year their share was already 67%.

The increase in the share of targeted attacks is due to a number of reasons. Every year there are groups of attackers specializing in APT (advanced persistent threat) attacks. During the year, we tracked APT attacks of 27 groups, among which there are both widely known (Cobalt, Silence, APT28) and relatively young, little-studied. However, closer attention of organizations to cybersecurity, the introduction and use of specialized protection tools aimed at identifying and countering complex attacks (in particular, the introduction of anti-APT solutions), allows you to better detect the activity of attackers, significantly reduce the time of their presence in organizations. As a result, incident data are in the public field, and most importantly, information about tactics and tools of APT groups, which allows you to increase the effectiveness of counteraction in general, says Alexey Novikov, director of the Positive Technologies Security Center (PT Expert Security Center)

According to experts, companies should shift their focus from protecting the perimeter to the ability to timely identify the development of an attack within the network, regularly check if they were attacked earlier. Given the growth of targeted attacks, the constantly changing approaches of criminals and the complication of HVE, the key factors in ensuring protection in the coming years will be continuous monitoring of information security incidents, in-depth analysis of network traffic and retrospective analysis of events in the network.

The most common cyber attacks were government agencies, industry, medicine, science and education, and the financial industry. At the same time, the share of attacks on industrial companies increased to 10% against 4% in 2018.

Significant changes affected the motivation of attackers in attacks against individuals: as the analysis of cyber threats in 2019 showed, more than half of the attacks were carried out to steal data, while in 2018 the same figure was 30%. In general, information theft has become the main motive for attacks - both for private (57%) and for legal entities (60%). The greatest interest for cybercriminals in 2019 was personal data, accounts and bank card data.

As the analysis showed, ransomware Trojans have become one of the most pressing cyber threats for legal entities around the world. In 2019, they accounted for 31% of infections, and the average amount of payments to attackers reached several hundred thousand US dollars. At the end of 2019, Positive Technologies experts noted the trend: ransomware operators, in cases of refusal to pay the ransom, began to blackmail victims with the publication of data that they copied before encrypting them. According to the study, at the end of 2019, such campaigns were carried out by the ransomware operators Maze and Sodinokibi. The information that the criminals managed to make money on ransoms suggests that in 2020 we will face another wave of ransomware attacks, and the tendency to publish the files of victims who refused to pay the ransom will develop at the end of the year.

Dell Technologies: 82% of companies affected by cyber attacks and incidents

According to a study by Dell Technologies, Global Data Protection Index 2020 Snapshot conducted in 2020, as of March 2020, organizations manage 13.53 petabytes (PB) of data, which is 40% more than in the average year 2018 (9.7 PB) and 831% more than in 2016 (1.45PB). The greatest risk to this data is the growing number of incidents, from cyber attacks to data loss to system downtime. Most organisations (82% in 2019 compared to 76% in 2018) say they have been affected by such incidents in the past year. Read more here.

Positive Technologies: 82% of all identified vulnerabilities are due to code errors

On February 13, 2020, Positive Technologies reported that its experts analyzed the security status of web applications and found that in 9 out of 10 cases, attackers can attack site visitors, 16% of applications contain vulnerabilities that allow them to gain full control over the system, and in 8% of cases - attack the company's internal network. In addition, having full access to the web server, hackers can post their own content on the attacked site (deface) or even attack its visitors, for example, infecting their computers.

According to the study, in 2019, the share of web applications containing high-risk vulnerabilities decreased significantly (by 17 percentage points compared to 2018). The number of vulnerabilities, which on average falls per application, decreased by almost one and a half times compared to 2018. Despite this, the overall level of security of web applications is assessed as low.

82% of all identified vulnerabilities are due to errors in the code. According to experts, even in the case of productive systems in every second, they found high-risk vulnerabilities. A high percentage of errors in the source code indicates that the code does not pass the vulnerability check at the intermediate stages of its creation, and that the developers still pay insufficient attention to security, betting on the functionality of the application.

In 45% of web applications examined, experts found shortcomings in authentication (Broken Authentication); many vulnerabilities from this category are critically dangerous.

Most authentication attacks involve users setting only a password. The absence of a second factor makes authentication attacks easy to implement. This problem is aggravated by the fact that users are trying to come up with easier passwords. Bypassing access restrictions usually results in unauthorized disclosure, modification, or destruction of data, thinks Olga Zinenko, analyst at Positive Technologies

According to experts, 90% of web applications are susceptible to the threat of attacks on customers. As in previous years, the Cross-Site Scripting (XSS) vulnerability plays a significant role in this. Examples of attacks on users include infection of computers with malware ON (the share of this method of attacks on individuals in the third quarter of the year increased to 62% versus 50% in the second), phishing attacks to obtain credentials or other important data, as well as performing actions on behalf of the user using the deceptive clickjacking technique, in particular for cheating likes and views.

Analysis of "high-profile" incidents in the field of information security in 2019

2019 was rich in incidents. There have been many cases of improper storage of information and late elimination of critical vulnerabilities that led to major data leaks, as well as many attacks on financial institutions, retail, and Internet of Things devices. Several dangerous attacks were carried out on industrial enterprises. The article describes the largest and most interesting attacks in conditional sorting by a key breach in the defense system or a key action carried out by an attacker.

USA, China, India, Russia and Vietnam - the main sources of all types of attacks in the I-II quarters

December 17, 2019 it became known that referring to the study Lumen Technologies (formerly CenturyLink) (), USA Deputy Director National Coordination Center for Computer Incidents Nikolai Murashov called the main sources of all types of attacks in the I-II quarters of 2019,,, and China(India from Russia Vietnam more to less). Attacks phishing are also among the leaders - the United States, followed by,, and. Germany Netherlands France Undisputed Russia primacy in distribution through harmful ON web resources belongs to the United States, then China, the Netherlands, and Germany. Great Britain Such results of international research are shared by Nikolai Murashov.

According to to data NCCCI, the main targets computer of attacks on information resources RUSSIAN FEDERATION in 2019 were creditfinancial the sphere (33%), bodies state power (27%), defense industry and space (18%), and (9% science) education , etc. (13%). In 2020, NCCCI expects that the trend will continue and the credit and financial sector will continue to be exposed to the greatest dangers due to the desire of cybercriminals to earn money.

As of December 2019, NCCCI monitors tens of thousands of different facilities, of which 50% are critical information infrastructure (CII) facilities. At the end of 2019, the largest number of attacks were repelled in the rocket and space, defense and chemical industries.

{{quote 'author = Nikolai Murashov explained' It is there that attackers are looking for any opportunity to obtain classified information, including information constituting a commercial or other secret protected by law, }}

As the deputy head of the NKCKI noted, in 2019, as in previous years, cases of infection with ransomware viruses were recorded in order to obtain a ransom.

Against the background of other states, the situation with this type of malware in the Russian Federation can be called calm, the number of such infections as of December 2019 is decreasing reported by Nikolay Murashov

However, Nikolai Murashov drew attention to the niche of ransomware viruses occupied malware used to seize other people's resources for the purpose of mining cryptocurrencies.

Against the background of other states, the situation with this type of malware in the Russian Federation can be called calm, the amount of such virtual money is quite high, so there are also many people who want to earn it easily. Miners hack into the computers of ordinary users and use their computing resources for their own purposes. Up to 80% of the power of the captured computer can be used to generate virtual coins. Very often legal users do not know about it, noted Nikolai Murashov

As Nikolai Murashov pointed out, the seizure of servers of large companies for mining threatens to significantly reduce their productivity, which entails significant damage to business.

It is worth noting that the number of detected cases of cryptocurrency mining using infected information resources of various state and municipal organizations is huge. In this case, attackers infect web pages, and mining is carried out when resource users view them in a browser, Nikolay[4] gave an example[5]

Fortinet: AI development and cyber threat intelligence will change traditional benefits of cybercriminals

On December 5, 2019, Fortinet released a threat landscape forecast for 2020 and beyond, prepared by a team of experts from FortiGuard Labs. The study reveals the directions in which cybercriminals will act in the near future. In addition, techniques were outlined to help organizations defend against future attacks.

"Previously, success in the actions of attackers was largely due to the expansion of the surface of cyber attacks and the resulting security gaps caused by digital transformation. Recently, their attack techniques have become even more sophisticated thanks to the integration of initial forms of AI and swarm technology. Fortunately, it is possible to restore the previous level of security if many companies adhere to the same strategies to protect their networks through which criminals organize attacks. This will require a unified approach using widescreen, integrated, and automated solutions to protect and control all segments of the network, as well as various peripherals, from IoT to dynamically connected clouds. " noted Derek Mankey, Head of Global Threat Security and Analysis, Fortinet

As noted in Fortinet, in recent years, the methods of conducting cyber attacks have become more sophisticated, which has led to an increase in their effectiveness and speed. This trend is likely to continue until there are enough organizations on the market that change their approach to defense strategies. Given the scale of the global threat landscape, the speed and complexity of cyber attacks, organizations will have to respond to emerging threats in real time, keeping up with machines to effectively counter aggressive actions. In this struggle, it will become vital to apply the latest advances in artificial intelligence (AI) and threat research.

One of the long-term goals in the development of AI for security is to create an adaptive threat immunity system that works similarly to the human immune system. The development of such a first-generation AI was aimed at using various machine learning models. They trained, adjusted and proposed a specific action plan to repel the attack. In second-generation AI systems, the emphasis was on creating a mining engine. Its level had grown significantly by this time and made it possible to identify patterns that significantly improved the operation of various functions, such as access control, by placing learning nodes in all areas of protection. The development of third-generation AI systems follows the path of abandoning the use of a monolithic processing center in favor of creating a system of regional learning nodes. Data is collected locally and used for distributed comparison, correction, and analysis. This will be critical for companies looking for ways to protect their burgeoning peripheral segments.

In addition to using traditional forms of threat analysis using data from open sources or after studying internal traffic and accumulated information, future machine learning systems will over time actively use data collected from new generation peripherals and transmitted to local learning nodes. By tracking and matching information in real time, the AI system will be able to have a more complete understanding of the current state of threats. It will also be able to adjust the operation of local devices by setting them rules for responding to incidents. This will allow future AI security systems to recognize threats, adjust their actions, track and be ready for retaliatory measures, exchanging information within the network. Ultimately, a distributed learning system will allow data sets to be combined to adapt to changing conditions, trends, and events. Thus, each event will improve the quality of the entire system. As a result, information about the incident received at one location will raise awareness of ongoing threats to the entire system.

The introduction of AI allows companies not only to automate the execution of tasks, but also opens up the possibility of creating an automated system for finding and detecting cyber attacks - both after the appearance of signs and before the implementation of the scenario. Through the combined use of machine learning and statistical analysis, organizations can develop a customized, AI-driven action plan to improve threat detection and response. Prepared response scenarios (playbooks) should learn to identify patterns (patterns) by which AI will predict the actions of the attacking side, suggest the time of the likely start of the next attack, and even identify the suspects behind the threat. If this data can be provided to the AI training system, then remote learning nodes can support effective and proactive protection, not only limited to detecting threats, but also allowing them to predict subsequent actions, proactively intervene in the process and coordinate actions with other nodes to simultaneously counter the spread of the attack.

One of the most important factors in the fight against espionage, according to Fortinet, is effective counterintelligence. The same is true for cyber attacks or defense, where all actions are closely monitored. The defending side has a clear advantage in accessing various kinds of threat information. Cybercriminals usually do not have the capabilities to which machine learning and AI tools have been added. However, the use of clever tricks can lead to retaliatory measures on the part of intruders. They learn to distinguish legitimate traffic from tricks and try to do it unnoticed so as not to reveal themselves during an attack. To effectively counter such a strategy, organizations will need to add response scenarios and improved AI algorithms to their arsenal. This will help not only detect violators engaged in analyzing legitimate traffic, but also improve the technology of tricks, which will make it impossible to distinguish them from legitimate messages. In the future, organizations must learn to respond to any espionage techniques before taking action, while maintaining superiority in control.

The activities of organizations related cyber security to provide them with a number of unique privileges regarding access to; personal information representatives of the underworld do not have such a right. This allows law enforcement agencies to set up their own command centers with global reach and extend their actions to individuals, being able to monitor and respond to cybercriminals in real time. The existing system of legal action, as well as communication with public and private services, can also be useful for identifying violators and responding. Initiatives can be expected to form a unified approach for linkages between international and local law enforcement agencies, government organizations, the corporate sector, and security experts. This will contribute to the development of a system of timely and secure information exchange to build protection for critical infrastructures and strengthen the fight against cybercrime.

The opportunities that organizations bring to their defense strategy are unlikely to be ignored by the enemy and will have a response. The introduction of improved methods for detecting and countering cyber attacks will lead to attempts by cybercriminals to do something different, even more serious. Against the background of the emergence of more advanced attack methods, the expansion of potential attacks, the introduction of smarter AI systems, the ingenuity of representatives of the cybercriminal world is also not reduced.

A recent Fortinet Threat Landscape report noted the growing popularity of various advanced evasion techniques. Their development is aimed specifically at avoiding detection, disabling protection functions and control devices, causing damage by working "at gunpoint" of protection systems and using LoTL ("Living off The Land") tactics - using legitimate installed software and disguising malicious traffic as legitimate. Many modern malware already contains functions that allow you to evade detection by antivirus programs or other means of countering threats. But attackers continue to use increasingly sophisticated ways to confuse and counter analysis. By using such growth strategies, the value of "weaknesses" that can remain in the security means and appear as a result of personnel errors is significantly increased.

Over the past few years, the market has seen an increase in the popularity of swarm technology associated with the fulfillment of the task due to massive, coordinated, similar actions. The use of machine learning tools and AI in attacks against legitimate networks and devices has led to the emergence of another way to use this technology. On the one hand, its achievements are important for solving applied problems in the field of medicine, transport, mechanical engineering, automation. However, if maliciously used in an environment where organizations do not make changes to their defense strategy, parity can be violated in favor of attackers. Cybercriminals can use Swarm technology in bot attacks to penetrate the network, suppress internal defenses, improve search efficiency and steal data. Over time, it is expected that specialized bots will appear, endowed with certain functions, which will exchange data in real time and match them. As a result, the speed of target selection will increase, and the tactics of the attack will become more diverse. Cybercriminals will be able to attack not only one, but also many targets at once at the same time.

The penetration of 5G networks could eventually become a catalyst for the development of functional Swarm attacks. They will be based on the ability to build local special networks that are able to quickly exchange and process data, as well as launch applications. At the same time, hacked devices can become an improper use of 5G and Edge Edge computing to distribute malicious code. If you assemble them into a group, it will be possible to carry out coordinated attacks at 5G speeds. Taking into account the speed, intelligence, and local nature of such attacks, outdated security technologies may be at risk, which will make you think about finding ways to effectively counter such threats.

Previously, it traditionally took a lot of effort and time to search for a zero-day vulnerability and develop an exploit. Therefore, cybercriminals were in no hurry to use them, holding in their arsenal, while there were other options for attack. The current situation is characterized by an increase in possible directions for threats, as well as a simplification of the task of identifying vulnerabilities. This led to the threat of a potential increase in the number of zero-day vulnerabilities. The use of fuzzing technologies and the systematic search ("mining") of zero-day vulnerabilities using AI also contribute to an exponential increase in the number of such cyber attacks. Therefore, it is necessary to take measures in advance to protect against this trend.

Accenture: Key Threats to Business Information Security

On September 20, 2019, Accenture presented the results of a study in which it identified the main threats to business information security in 2019. Accenture estimates that the cybersecurity services market is growing at a pace similar to Digital and IT markets. Accenture predicts that by 2021 the volume of the global information security market will increase by 66% and amount to $202 billion. At the same time, the total global damage from cyber attacks could grow by 39% to $2.1 billion by 2021. Read more here.

TaskMasters cyber group attacks organizations in Russia and the CIS

On May 13, 2019, Positive Technologies announced that its Expert Security Center experts had discovered a cyber group allegedly with Asian roots. The attackers attacked more than 30 organizations from various industries, including industry, energy and oil and gas sectors in Russia, the CIS and other countries. At the same time, a significant number of victims were in Russia and the CIS. The main goal of the group is to steal confidential information of organizations. The group has been operating for at least several years: traces of TaskMasters activity have been found since 2010.

The group used an unusual method of consolidation in the IT infrastructure: the participants created specific tasks (tasks) in the task scheduler (therefore the group was called TaskMasters). Task Scheduler allows you to execute OS commands and run the software at a specific time specified in the task. The AtNow scheduler used by the cyber group allows you to perform tasks not only locally, but also on remote computers on the network, and do so regardless of the temporary settings of these nodes. In addition, this utility does not require installation. All this simplifies the automation of the attack.

After entering the local network, attackers investigate the infrastructure, exploit vulnerabilities, download malicious programs to compromised nodes and remotely use them for espionage. You can detect such attacks using specialized security tools, including PT Network Attack Discovery, and to analyze attacks and prevent them, you need to involve professionals in investigating cyber incidents.

Positive Technologies experts suggest that members of the TaskMasters group may be residents of Asian countries. The code of the tools they use contains mentions of Chinese developers, during some attacks connections from IP addresses from China were recorded, and keys for some versions of programs can be found on the forums where residents of this country communicate. In addition, many utilities from the TaskMasters package contain error messages and other debugging information written in English with errors, which indicates that it is not a native language for developers.

Over the past two and a half years, specialists from the Positive Technologies security expert center have conducted more than fifty investigations into information security incidents, including the discovery of the ICEFOG group, the identification of ART for public and private companies, as well as an investigation into the actions of the Cobalt group, traces of the activity of the members of which experts were able to find even after the arrest of its leader.

Cyberattacks left Venezuela without lights for days

March 11, 2019 was the fifth consecutive day of lack of electricity in almost all of Venezuela. President Nicolas Maduro said that the cause of the blackout was cyber attacks by the United States. Read more here.

Damage from coordinated global cyber attack assessed

According to information from January 29, 2019, a coordinated global cyber attack can cause damage in the amount of $85 billion to $193 billion. This conclusion was reached by specialists from the insurance market Lloyd's of London and the financial company Aon following the results of stress testing for risk assessment.

Such an attack will lead to insurance claims covering various aspects, from stopping business operations and cyber power to the cost of responding to cyber incidents.

As part of the global cyber attack scenario, experts predict the total amount of insurance payments in the range from $10 billion to $27 billion.

A number of world sectors may suffer from cyber attacks, according to experts, organizations in the fields of health care, retail, banking and industrial will suffer the greatest losses.

In countries with well-developed economies (the United States and European states), material losses will be the most significant^[6]

2018

48% of attacks in the fourth quarter were aimed at obtaining data

In the IV quarter of 2018, the number of notifications of personal data leaks continued to grow, social engineering was used in every third, the to the attack company said Positive Technologies on February 19, 2019. In addition, specialists from the security expert center Positive Technologies have discovered hacker a group aimed at. the Russian banks

As the study showed, the number of notifications of personal data leaks continues to grow. Experts explain this by the introduction of General Data Protection Regulation, a legislative act establishing rules for the protection of personal data of EU citizens. Companies that have previously been silent about incidents, after the news of the first fines and warnings, will probably be more willing to notify customers about cyber attacks, analysts at Positive Technologies say.

In the IV quarter of last year, 48% of attacks were aimed at obtaining data. Interestingly, during half of them, attackers used malware. First of all, (this is 28% of attacks) criminals were interested in credentials (logins, passwords) to access various services and systems, including e-mail from company employees.

The share of targeted attacks continued to grow: it amounted to 62%. Experts note that attackers are increasingly using an "individual approach" to attack organizations, and individuals suffer from large-scale malware infections. A third of attacks on individuals were aimed at obtaining data. The greatest interest for cybercriminals is the credentials (in 60% of cases they steal them), noted in Positive Technologies.

The proportion of incidents that directly benefited criminals financially rose 6% from the previous quarter. In the IV quarter, specialists from the Positive Technologies Security Expert Center noted the activity of three groups attacking financial organizations - already friends of Silence and Cobalt, as well as a group aimed at Russian banks. The attackers sent malicious documents with macros allegedly on behalf of FinCERT, as well as through the compromised account of an employee of Alfa-Capital. Despite the similarity of both attacks with the activity of the Treasure Hunters group, as a result of traffic analysis, experts concluded that another group of cybercriminals appeared.

According to experts from Positive Technologies, social engineering in the IV quarter was used in every third attack.

Phishing against the employees of the victim company has become an already worked out scheme of attackers in the framework of targeted attacks, "said Alexey Novikov, director of the Positive Technologies Security Expert Center. - So, in November, our specialists discovered a malicious attachment in emails, which allowed an attacker to capture images from webcams, record sound, take screenshots of the screen, copy files from media devices. The criminals deftly attracted the attention of the addressees with the catchy theme of the letter and a blurry image of the opening file on which the coat of arms looked - so that the document should have aroused confidence and a desire to familiarize itself with it by including the necessary script. While the victim saw a stub document on the screen, an HVE was installed on the computer unnoticed by the user for remote control of Treasure Hunter, which collected information about the system, sent it to the remote command server and received commands from it.

According to Yevgeny Gnedin, head of analytics at Information Security Positive Technologies, emails are often sent for marketing purposes and contain invitation buttons to go to the site.

We remind you that before clicking on such a button in the letter, you need to pay attention to the name of the addressee, as well as to the link where the transition will be made after pressing, "says Eugene.

Balabit study

Check Point: 97% of companies are not ready for Fifth Generation cyber attacks

According to the 2018 Security Report, prepared by Check Point Software Technologies, more than 300 mobile applications distributed through official stores contain malicious code. Check Point also notes that the number of cloud threats, cryptomainer attacks, MacOS vulnerabilities and IoT devices continues to grow. Read more here.

Attack on four gas companies in the United States

In early April 2018, it became known about hacker attacks on four American gas companies. As a result of the cyber attack, some IT systems were shut down for several days for security reasons.

Unknown cybercriminals attacked Boardwalk Pipeline Partners, Eastern Shore Natural Gas, Oneok and Energy Transfer, which operate gas pipelines. The attacks were carried out in late March.

Oneok,  which operates gas highways in the Permian oil and gas basin in Texas and the Rocky Mountains (western North America), said the decision was taken as a precaution to shut down the computer system after the contractor became an "apparent target for a cyber attack."

Oneok did not specify which system was frozen. Energy Transfer said that the company disabled the data exchange platform (EDI; through it transfer purchase orders, invoices, etc.) with customers, which was developed by a subsidiary Energy Services Group to speed up the transfer of documents and reduce costs.

This situation has not affected our activities. During the shutdown, we manually perform all planned operations, "Energy Transfer spokeswoman Vicki Granado told Bloomberg.

Energy Services' EDI solution is also used by other companies such as Tallgrass Energy Partners and Kinder Morgan. Their representatives say the companies' computer systems have not been affected. Boardwalk Pipeline Partners confirmed that the EDI system failed, but did not specify the reason. Eastern Shore Natural Gas said the same.

By April 4, 2018, the electronic document management systems of all gas companies that have experienced cyber attacks have been fully restored.

President of the North American Energy Standards Board (responsible for developing industry standards in the field of power) Ra McQuade (Rae McQuade) says that the disabling of EDI systems does not stop the transfer of gas, but has a serious impact as companies have to look for workarounds for interaction.

Jones Walker partner Andy Lee notes that companies that manage most of the US gas pipeline network with a length of 3 million miles use third-party document management solutions, so they depend on those who are responsible for the security of such systems. At the same time, hackers are attracted by the easy availability of EDI, which allows them to spread ransomware viruses or steal data with subsequent sale.

According to Phil Neray, an expert on cybersecurity of industrial systems, a hacker attack on gas pipeline companies was carried out for the purpose of financial enrichment, but it should not be ruled out that the authorities of any countries were behind this.

Networks of companies that have some important assets, such as pipelines, electricity, finance, can be targets for attacks. This has always been the case, "said John Harbaugh, operations director of the information security solutions provider R9B.

Electronic data exchange systems are used by cybercriminals to penetrate the IT infrastructure of companies, but are not the ultimate goal for them, says Accenture spokesman Jim Guinn.

There is absolutely no value in accessing EDI except for moving around the network to do something even more malicious. All bad artists are looking for a way to get into the museum to steal van Gogh's painting, he said, adding that there are no fundamental differences between systems for oil and gas companies.[7]

2017

By 2021, global damage from cyber attacks will exceed $6 trillion

According to RedSys at the end of December 2017, the number of cyber attacks continues to increase. So in the first half of 2017 alone, more than 900 cyber attacks were carried out, as a result of which more than 1.9 billion data sets were stolen. Most attacks are based on ransomware malware, which infects computers and restricts access to files in exchange for a ransom. In addition, some malware directly stole millions of dollars.

In general, the 2017 cyber attacks highlighted the existing problem of ensuring information security, said Dmitry Shumilin, director of the RedSys information security center.

The trend that has been observed over the past years unequivocally suggests that one should definitely not expect a decrease in the number and scale of attacks. Probably, attacks will increasingly target specific vulnerable points, and attacks using IoT devices are also expected to increase, the prevalence of which has recently been increasing avalanche-like, and their security leaves much to be desired, the expert predicts.

The increase in threats, in turn, will lead to a sharp increase in business and government spending on data protection. So, according to forecasts of Cybersecurity Ventures, over the next four years, global spending on cyber security will amount to about $1 trillion. However, the damage from cybercrime will also grow significantly. So, in 2015, the cost of compensation for global damage due to attacks through ransomware amounted to $325 million. In 2017, these expenses, according to preliminary estimates, will exceed the mark of $5 billion, and by 2021 the indicator will exceed the bar of $6 trillion.

Any enterprises around the world can be subjected to a cyber attack, regardless of their size and type of activity. At the same time, many corporations have already thought about ways to solve the problem - this is evidenced by the budgets planned for 2018, added Dmitry Shumilin.^[8]

Invented a computer that is "impossible to hack"

Michigan State University received a $3.6 million grant from the Advanced Defense Research Agency (DARPA) to develop a computer that would be invulnerable to hardware-level hacking^[9]

The idea of ​ ​ a project called Morpheus is to make any attempts to attack computer software or hardware in vain. Morpheus hardware components will be an "indestructible puzzle": all information contained in the system can be quickly and randomly redistributed across different components.

Main article: DARPA Morpheus "Indestructible Puzzle"

$1.3 billion lost marketers in 2016 due to DeviceID reset fraud

On September 20, 2017, AppsFlyer announced that a decision had identified a Protect360 scale of fraud (fraud) with a DeviceID reset. According to the data received, this type of fraud accounts for over 50% of all fraud associated with application installations, which is much more than expected. According to AppsFlyer estimates, in 2016, marketers lost $1.1- $1.3 billion due to DeviceID reset fraud^[10]

A recently discovered type of fraud is based on resetting a mobile device ID. It is used by criminals who exploit highly organized "farms" of mobile devices (also known as "mobile farms" or click farms) to hide their actions. Such farms can number thousands of devices, as a result, it is not easy to hide fraud of this scale, as a result of which criminals resort to a number of techniques to remain in the shadows. Sequential reset of a unique identifier is one of the techniques that is carried out for each mobile device. Then the phone included in the "mobile farm" is defined as new even after several thousand installations of the application, which causes companies losses of up to several billion dollars annually, explained in AppsFlyer.

According to data obtained by Protect360, DeviceID reset fraud:

• takes money from marketers in 10% of cases - on average, one in 10 inorganic installations is fraudulent. This means that of every dollar spent on mobile advertising, 10 cents goes straight into the pockets of scammers;
• equally affects both iOS and Android;
• causes damage to 16 out of 100 leading advertising networks - over 20% of application installations provided are fraudulent.

This type of fraud is not limited to a particular country or region. Fraudsters mainly make their target countries with high CPI refunds (cost-per-install, "price per installation"). In addition, DeviceID reset scammers are targeting regions with a large number of campaigns and users to get lost in the expected large traffic flow and go unnoticed by advertisers and networks.

According to the study, the Eastern Europe region, which includes Russia, accounts for 4.8% of the total financial losses caused by this type of fraud worldwide. The company was able to establish that the largest share of fraudulent DeviceID reset installations are in Asia, followed by North America and Europe. At the same time, North America (33.6% of the global level), Western Europe (17.1%) and Southeast Asia (14.5%) are experiencing the greatest financial damage.

Global cyber attack could cost the global economy $53 billion

As Lloyd's of London and Cyence experts calculated in July, a powerful global cyber attack could cost the global economy $53 billion - about the same as the estimated damage from natural disasters such as Hurricane Sandy. In their report, the researchers described the possible damage to the economy from hacking into a cloud provider and cyber attacks on operating systems that run computers in companies around the world, reports Reuters news agency.^[11]

According to the assumption of experts Lloyd's of London and Cyence, attackers can inject malicious code into the cloud provider's software, programmed to disable computers in a year. After implementation, the malware will spread among the provider's customers, ranging from financial institutions to hotels, causing them huge losses from downtime and repair.

According to researchers, the amount of damage from serious cyber attacks can range from $4 billion to $53 billion and reach $121 billion. The amount of damage from hacking operating systems varies from $9.7 billion to $28.7 billion. For comparison, the damage from Hurricane Sandy - a powerful tropical cyclone that killed 185 people in 2012 - amounted to $50 billion.

Positive Technologies: Russia ranked second in the number of cyber incidents

Every tenth cyber incident occurs in Russia, the number of ransomware Trojans will grow due to the "ransom as a service" direction, and the power of DDoS attacks will increase due to vulnerabilities in "smart things." Such observations and forecasts are contained in a new study of current cyber threats from Positive Technologies in the first quarter of 2017.

Positive Technologies experts note that in the first three months of 2017 there were only five days during which no information about new cyber incidents was received.

The most attacked country in the first quarter is USA (41% of all attacks), Russia ranked second in the number of cyber incidents (10%), and was in third place (7 Great Britain %). In all, at least 26 countries around the world have been attacked.

The largest number of attacks were directed at state organizations, they accounted for every fifth attack (20%). The prerequisites for this can be the aggravated external and internal political situation of many countries. Social networks, search engines, online stores and other online services were the target of one in nine attacks (11%). The situation in the financial industry is slightly better - banks accounted for 9% of all incidents. This is followed by education (8%), medical institutions and services (7% each), industrial companies (5%) and defense enterprises (3%).

In the study, the experts considered the incidents that occurred from two sides at once: what the attackers attacked and how they did it. Thus, most of the attacks were aimed at the IT infrastructure of companies (40% of attacks). Mostly, the attackers were interested in sensitive information (for example, personal data, data of payment card holders), which can be sold on the black market. However, experts note a decrease in the interest of cybercriminals in personal data and, accordingly, a decrease in their cost, which may be due to a glut in the market.

The second most common was attacks on web applications (33%), which open up many opportunities for attackers: from obtaining confidential information to penetrating the company's internal network. Most web attacks were implemented through vulnerable components (legacy libraries and CMS systems), although web application vulnerabilities were also exploited. Positive Technologies specialists in early 2017 recorded many attacks on the websites of government organizations and various commercial companies.

The number of attacks on POS terminals (3% of all attacks) also increased significantly, exceeding the indicators of the first quarter of 2016 by almost six times and accounting for 63% of all similar attacks in 2016. Attackers used remote administration tools and Trojans.

If we talk about the most popular attack methods, then use is still in the first place. malware Positive Technologies experts note the emergence of a ransomware-as-a-service model: malicious creators ON are increasingly not organizers of attacks, but earn money by selling Trojans to criminal groups. Thus, malware developers, having made a profit from the sale, can prepare a new Trojan while other criminals are directly engaged in the implementation of the attack.

As for DDoS attacks, in the first quarter of 2017 their power increased significantly due to the connection of more and more IoT devices to botnets. So, in March 2017, another malware (ELF_IMEIJ.A) was discovered aimed at IP cameras, video surveillance systems and network recording devices manufactured by AVTech. In addition, over 185 thousand vulnerable IP cameras have been identified, which may also be part of the new botnet.

Fortinet: The effectiveness of tracking and managing distributed infrastructures is being reduced

In June 2017 Fortinet , it released data from a report on a worldwide threat study. The subject of the study was the chain of implementation. In cyber threats the context of corporate technologies and modern trends in the development of the sphere, three main areas of attacks were considered - exploit applications, and. malicious software botnets As the study shows, despite the widespread coverage of more resonant attacks, a large-scale infrastructure "as Cybercrime a service" has become the conductor of the predominant part of successful attacks that organizations have encountered. The following are the three key findings of the reportThe ^[12]

1) Attackers always take into account past experience when developing attack tools that are ready for use anytime, anywhere

Thanks to modern tools and the Crime as a Service infrastructure, attackers can quickly act at a global level. This means that there are no distances or geographical boundaries on the Internet, since most threats function globally, not in individual regions. Criminals are always ready for an attack and are constantly looking for vulnerabilities at the international level.

Knowing the trends in the development of exploits, as well as the principles of the functioning and distribution of ransomware, will avoid the malicious consequences of attacks that will replace WannaCry. Ransomware malware and its varieties have spread around the world and are affecting hundreds of organizations at the same time.

• Ransomware. Just under 10% of organizations have identified ransomware activity. On each individual day, 1.2% of organizations found ransomware botnets in their corporate networks. The most activity was seen over the weekend, with attackers attempting to inject malicious traffic bypassing security staff working over the weekend. As the average traffic volume of different ransomware botnets increased, so did the average number of organizations targeted by attacks.
• Exploit trends. 80% of organizations reported identifying exploits in systems that pose serious and critical risks. Most of these targeted exploits have been developed over the past five years, but attackers have exploited vulnerabilities that existed in the last century. The distribution of exploits across geographical areas is quite uniform. This is probably due to the fact that the activity of a huge number of exploits is fully automated with the support of tools that scan the Internet for vulnerabilities.

2) Interpenetration of infrastructures IoT and contribute to the acceleration of the spread of malicious ON

As the volume of data and resources between users and networks increases, so does the number of attacks in different geographical areas and areas of activity. Malware research gives you an idea of ​ ​ the stages of preparing and implementing attacks. It should be noted that the task of protecting against mobile malware is complicated by factors such as the insecurity of devices within the internal network, frequent connections to public networks and the lack of corporate control over devices owned by users.

• Mobile malware. The prevalence of mobile malware for the period from the 4th quarter of 2016 to the 1st quarter of 2017 remained stable: about 20% of organizations detected mobile malware. This quarter, most of the 10 most common threats were malware families that hit Android devices. The total ratio for all types of malware in the 1st quarter was 8.7% - in the 4th quarter this value was 1.7%.
• Distribution by region. Mobile malware is spreading more widely in all regions, with the exception of the Middle East. In all cases, the observed growth is statistically significant, it cannot be attributed to random fluctuations. When viewed regionally, the trends in the spread of malware that affects Android devices demonstrate the most obvious geographical relationship.

3) Improved monitoring of flexible distributed infrastructures

Threat trends vary by environment, so it's important to keep abreast of the changes that information technology, services, controls, and behavior undergo over time. The ability to access current data allows you to understand security policies and management models in general, as well as successfully track the development of exploits, malware and botnets as networks become more complex and more distributed.

As the number of potential attack directions within the expanded network increases, the effectiveness of tracking and managing modern infrastructures decreases. Trends such as the ubiquity of private and public cloud solutions, the development of IoT, the connection to networks of a large number of various intelligent devices, and the emergence of out-of-band threat directions, such as shadow IT resources, have led to an excessive increase in the burden on information security specialists.

• Encrypted traffic. The average value of the ratio between HTTPS and HTTP traffic reached a record value of about 55%. This trend contributes to privacy, but creates difficulties in tracking and detecting threats. Many security features are not effective enough in tracking encrypted data. Organizations, especially those with higher HTTPS traffic, may face threats hidden in encrypted data.
• Applications. On average, the organization uses 62 cloud applications, which is about a third of the total number of detected applications. At the same time, the number of IaaS applications has reached a new maximum. The problem with many organizations is that when data is moved to the cloud, the effectiveness of tracking its state can noticeably decrease. In addition, there is a controversial trend towards an increase in the amount of data used to store such applications and services.
• Areas of activity. As shown by group analysis by industry, for most areas, the same areas of threat pose a danger. Among the few exceptions were the fields of education and telecommunications. This means that attackers can easily use similar attack directions in different areas, especially with automated tools.

Dangerous network printers

On February 1, 2017, researchers at the University of the Ruhr in Germany discovered a number of critical vulnerabilities in the firmware of some network printer models. According to their study (official submission in May 2017), through discovered vulnerabilities, attackers can obtain copies of documents sent for printing and even seize control of the corporate network.

As of February 7, 2017, all printers during printing are controlled by a computer using several special protocols and languages. In the case of network printers during printing, the computer first initializes the printer through the device management protocol, then establishes data exchange with it through the network protocol, and then sends it a job to print first in the job management language, and then in the page description language^[13]

Simply put, when printing starts, the computer finds a printer on the network, awakens it and informs it that it is necessary to print, for example, two documents - first a document with one identifier, and then with another. At the same time, an additional description is sent for each document, how exactly it should be printed - scroll one line, apply paint at such coordinates, etc. The main languages ​ ​ of task management and page descriptions were written in the 1970s and 80s and are today used on all printers.

The discovered vulnerabilities are potentially present on all printers (due to the commonality of their management languages), but pose the greatest threat on network devices, since they can be connected remotely, and not via USB, as is the case with home devices. The simplest thing an attacker can do with a network printer is to loop it, forcing it to do the same thing. In this case, the device will stop responding to all external commands.

According to the researchers, vulnerabilities were found on 20 printers from Dell, HP, Lexmark International, Brother (Brother), Samsung, Kyocera, Konica and OKI. Scientists believe that the problem is wider, but cannot verify this assumption, since the vulnerability study project is not funded. The researchers sent reports on the found gaps to manufacturers, of which only Dell responded - in January 2017, the vulnerabilities found were not fixed.

The researchers created their own tool - the PRET program, it allows you to test any printer connected via USB, Wi-Fi or LAN for vulnerabilities.

Young hacker hacked 160 thousand printers around the world

The hacker, who calls himself Stackoverflowin, also a "god of hacking," claims to have written a script that automatically searches the Web for public printers and sales terminals that support RAW, Internet Printing Protocol and Line Printer Remote, based on ports 9100, 631 and 515, respectively^[14].

The script forced the discovered devices with open ports to print a boastful "letter of happiness" from a hacker, containing a recommendation to urgently close the ports of printers.

Even after sending these messages, The Register, using a search engine, Shodan.io revealed more than 143 thousand printers with an open port of 9100.

Stackoverflowin, claiming that he was not 18 years old, also stated that he exploited three vulnerabilities in the web interface of Xerox equipment; these vulnerabilities allow you to remotely run arbitrary code on this hardware. According to the hacker, data on these gaps have not yet been disclosed.

In general, the hacker noticed that he was even somewhat upset with how it was easy to turn the whole thing around.

On social networks (primarily Twitter), posts with photos of printouts of hacker messages are multiplying around the world, so it is obvious that Stackoverflow is not boasting from scratch.

2016: Panda Security White Paper on Attacks on Critical Infrastructure Engineering in the World

On November 30, 2016, Panda Security's PandaLabs division announced the publication of a white paper with information about the most high-profile cyber attacks on vital engineering infrastructure (critical) in the world and recommendations on how to protect against attacks on the main pillar of the economy of our time. Below is a fragment of the publication.

The increased trend of interaction of all types of infrastructure reflects the growth of the potential number of points of penetration of attacks into objects that have become vital for modern society. This is also true for cyber attacks that have been carried out against such networks in the past: one of the first such attacks was carried out in 1982, before the advent of the Internet. Then hackers, through a Trojan, infected the systems of the Siberian oil pipeline, which led to one of the most powerful non-nuclear explosions in the world.

In addition to the partial or complete shutdown of critical infrastructure facilities, which happened to the Venezuelan oil company PDVSA, when the attack reduced oil production from 3 million to 370 thousand barrels per day, such attacks also cause significant financial damage. One of the largest car manufacturers in the United States suffered a loss of $150 million, "thanks" to the attack using SQLSlammer, which quickly spread to 17 factories of the company.

One of the most notorious cases of cyber attacks on critical infrastructure in history is Stuxnet. It is already known that this was a coordinated attack by the American and Israeli special services aimed at disrupting Iran's nuclear program. This case was a catalyst that made the world community learn about the varieties of threats.

Some events of a number of years have become milestones in the development of world security, in particular, the attack on September 11. In Europe, there is a similar date - March 11, 2004, then there were train explosions in Madrid. As a result, the European Commission has developed a global strategy for the protection of critical infrastructure "European Program for Critical Infrastructure Protection," which contains proposals for improving the set of measures in Europe designed to prevent terrorist attacks and effectively respond to them.

As a result of such attacks, among other things, the technical characteristics of critical infrastructure objects and a huge amount of other critical data can be stolen. This means that special measures must be taken to protect such infrastructure, including proven practices:

• Checking systems for vulnerabilities.
• Adequate monitoring of the networks used to control such infrastructure facilities and, if necessary, their complete isolation from external connections.
• Control over removable devices, which is extremely important in any infrastructure, not only because they are the focus of such attacks, as was the case with Stuxnet. When protecting such critical infrastructure, it is critical to ensure that malware does not penetrate internal networks through removable devices, which can also be used to steal confidential information.
• Monitors the computers to which programmable logic controllers (PLCs) are connected. These Internet-connected devices are most sensitive because they can give hackers access to critical control systems. But, even if hackers cannot gain control of the system, they can gain valuable information for other areas^[15] attacks^[15]

2015:10 Most Dangerous Cyber Attacks of the Year

Neither personal information nor fingerprints were completely safe from cyber criminals in 2015^[16]. Below we give a brief overview of the most dangerous and alarming attacks of 2015.

Fingerprint theft

If fingerprints are considered one of the safest methods of biometric security (this method is used to unlock the iPhone), then the theft of information belonging to US government employees showed that this system has various problems to pay attention to.

In June 2015, a group of cyber criminals was able to get fingerprints of approximately six million employees of federal departments and institutions, USA which could endanger not only their mobile phones, but also the security of the country^[17]

Remote control over smart cars

Another big challenge facing cyber security professionals is the smart car incident^[18]. As long as there is no appropriate solution, these cars will still be vulnerable to manipulation. Last summer, two hackers showed that you can take advantage of bugs in the Jeep Cherokee computer system and seize control of the car, even managing to apply brakes on this car, and all operations were carried out remotely.

Thousands of infected Android devices

Not all vulnerabilities in the IT security world are focused on modern solutions and devices. In fact, smartphones were at the center of a massive scandal in 2015, when thousands of Android devices were infected with Stagefright - as a result of this security incident, cyber criminals were able to access and control any Android phone without the knowledge of its owner.

Online dating furore

No doubt the biggest scandal of the year involved the leak of more than 32 million users of online dating^[19] Ashley Madison^[20] Data^[21]. This incident sent a powerful explosive wave around the world of cyber security, once again reminding each of us (both users and owners of online platforms) of the dangers facing IT security.

Vulnerable infusion pump

Human health and safety are also at risk as a result of vulnerabilities in various devices. Moreover, we are talking not only about smart cars that can be remotely controlled and provoked by an accident: in 2015 there was an incident with infusion pump, which is used in hospitals. It turned out that if a cyber criminal managed to connect to the hospital's local network, then he could gain access to this device by manipulating him and changing the parameters of his work.

Risks for filling stations

Not only devices in hospitals, but also gas stations can be in danger, as researchers on both sides of the Atlantic could see. By connecting to the network, cyber criminals can attack fuel pumps, which can even lead to an explosion.

The year that Apple would like to forget

2015 was the worst year for Apple in terms of security, as the number of attacks directed at these devices increased fivefold compared to 2014, while the number of new vulnerabilities continued to grow. One such example is a Dyld bug that was discovered last summer that affected the MAC OS X operating system^[22].

Data theft through third parties

In 2015, the data of 15 million T-Mobile users was stolen by cyber criminals. According to the company, the information was not taken from their corporate servers, but it was stolen from the company that managed T-Mobile customer payments.

Stealing data through web browsers

In the summer of 2015, Firefox had to inform its users that the browser crash was caused by the incident^[23] to ^[24], in which cyber criminals could find and steal user files without their knowledge.

A bad end to the year for Dell

The last scandal of 2015 happened in December, when it was discovered that serious security errors were hidden in the latest models of Dell computers. Thanks to these vulnerabilities, cyber criminals were able to change communications between different systems and steal information from affected computers.

2011: A new round of attacks will target industrial and energy companies - McAfee

As of July 2011, according to McAfee, cybercriminals spent at least 5 years purposefully attacking 70 government agencies, nonprofits and corporations to steal data. These include, for example, the UN, the International Olympic Committee (IOC) and commercial companies located in the United States.

McAfee does not specify who is behind these attacks. Most of the victims are not named in the McAfee report, as well as what kind of data they had been stolen. It is only reported that these are companies and organizations from such countries in addition to the United States such as Canada, South Korea, Taiwan, Japan and many others.

The report comes after a series of highly qualified hacking attacks in recent months that have hit Citigroup, Sony Corp., Lockheed Martin, PBS and others. According to McAfee experts, so-called groups of activist hackers like Anonymous and Lulzsec were involved in all of them.

According to Dmitry Alperovich, vice president of threat research at McAfee and the author of the report, the threat is much greater, and many cases were simply not made public. The key to these incursions, he said, "is a massive hunger for other people's secrets and intellectual property."

However, not all organizations perceive the words of researchers with caution. In particular, IOC spokesman Mark Adams said that so far McAfee researchers have not provided them with evidence of attempts to compromise the committee's information security.

"If that's true, then of course it can't help but unsettle us. However, the IOC is a transparent organization and does not have such secrets that would jeopardize our activities or reputation, "he added

.

Meanwhile, researchers warn that industrial and energy companies in particular could be the new target of cyberattacks.

"This is not a threat only to the United States, this is a global threat," said Tim Roxey, director of risk management at North American Electric Reliability Corporation (NERC).

According to this company, hackers are able to access any equipment of power plants, including turbine valves.

He also recalled how a group of scientists was forced to leave the nuclear reactor as a result of an attack by the infamous Stuxnet virus. According to Siemens AG experts, even the actions of a well-coordinated hacker group are not necessary for such attacks, the attack can be organized alone, having enough experience and time.

2010: Expanding attacks on operating systems other than Windows

In 2010, there was a significant turn in the field of cybercrime: for the first time in history, hackers began to switch their attention from PC and Windows to other operating systems and platforms, including smartphones, tablets and mobile devices in general. This was stated in the Cisco Annual Report on Information Security for 2010, published on January 20, 2011.

In the previous ten years, hackers targeted primarily PC operating systems. In response, vendors of PC platforms and applications have strengthened the protection of their products and have become much more active in looking for and closing vulnerabilities using corrective modules (patches). As a result, it became more and more difficult for hackers to hack into platforms (in particular, the Windows platform), which previously allowed them to easily make money on bread and butter. Therefore, attackers are looking for new areas to apply their malicious "talents." Here, by the way, mobile devices and applications arrived, which began to actively spread on the market. As a result, in 2011, the greatest threat to users is posed by mobile applications created by third-party developers.

1982: CIA blasts Soviet gas pipeline

US CIA officers have introduced a bug into Canadian software that managed gas pipelines. Soviet intelligence received this software as an object of industrial espionage and introduced it on the Trans-Siberian pipeline. The result was the largest non-nuclear explosion in human history, which occurred in 1982.

Notes